This is the accessible text file for GAO report number OIG-13-2
entitled 'Information Security: Evaluation of GAO's Program and
Practices for Fiscal Year 2012' which was released on February 13,
2012.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Office of the Inspector General:
U.S. Government Accountability Office:
Information Security:
Evaluation of GAO’s Program and Practices for Fiscal Year 2012:
OIG-13-2:
Office of the Inspector General:
U.S. Government Accountability Office:
Report Highlights:
February 2013:
Information Security:
Evaluation of GAO’s Program and Practices for Fiscal Year 2012:
What We Found:
The Federal Information Security Management Act of 2002 (FISMA)
requires that each federal agency establish an agency-wide information
security management program for the information and information
systems that support the agency’s operations and assets. GAO is not
obligated by law to comply with FISMA or Executive Branch information
policies, but has adopted them to help ensure physical and information
system security. Our prior year evaluations have shown that GAO has
established an overall information security program that is generally
consistent with the requirements of FISMA, OMB implementing guidance,
and standards and guidance issued by the National Institute of Standards
and Technology. For example, GAO has well defined operational and
technical controls for remote access to its network. Its
telecommunications policy requires users to sign rules of behavior and
user agreements that acknowledge their responsibility and
accountability. GAO also has a process for reporting and disabling
lost or stolen devices to prevent unauthorized access. In addition,
GAO has continued its focus on closing prior year security-related
recommendations.
Our fiscal year 2012 limited evaluation reinforced our prior conclusion.
However, using 18 new FISMA reporting metrics for federal inspectors
general, we identified areas for improvement in the contingency planning
process. We also identified resource challenges that affect GAO’s
ability to implement security upgrades and strategies identified by GAO
managers and the OIG.
What We Recommend:
To help strengthen GAO’s overall information security program, we
recommend that the Chief Information Officer take the following two
actions: (1) implement measures to increase the redundancy and
availability of GAO mission-essential applications and (2) develop and
provide, for GAO senior management consideration, a proposed strategy
to ensure power redundancy to GAO servers and provide a long-term
alternate power supply in the event of a power outage. GAO concurred
with our recommendations.
[End of section]
Office of the Inspector General:
U.S. Government Accountability Office:
Memorandum:
Date: February 13, 2013:
To: Comptroller General Gene L. Dodaro:
From: [Signed by] Inspector General Adam Trzeciak:
Subject: Information Security: Evaluation of GAO's Program and
Practices for Fiscal Year 2012:
We have completed a limited-scope, independent evaluation of the
effectiveness of GAO's information security program and practices for
fiscal year 2012 as prescribed by the Federal Information Security
Management Act of 2002 (FISMA).[Footnote 1] FISMA requires federal
agencies to develop, document, and implement an agency-wide
information security program to provide security for the information
and information systems that support their operations and assets,
including those provided or managed by another agency, contractor, or
other source. In addition, each agency is required to have an annual
independent evaluation of its information security program and
practices, including control testing and compliance assessment, which
is to be performed by the agency Inspector General (IG) or by an
independent external auditor. GAO is not obligated by law to comply
with FISMA or executive branch information policies, but has adopted
them to help ensure physical and information system security.
Our prior year evaluations have shown that GAO has established an
overall information security program that is generally consistent with
the requirements of FISMA, OMB implementing guidance, and standards
and guidance issued by the National Institute of Standards and
Technology (NIST).[Footnote 2] Our fiscal year 2012 limited review
reinforced our prior conclusion, although this year, we identified
areas for improvement in the contingency planning process. We also
identified resource challenges that impact GAO's ability to implement
security upgrades and strategies identified by GAO managers and the
OIG. This report includes recommendations to help the agency more
fully implement federal information security requirements for these
program elements.
Objectives, Scope, and Methodology:
For fiscal year 2012, we performed a limited FISMA evaluation of GAO's
information security program and practices. Specifically, we assessed
GAO's compliance with the 18 new FISMA metrics for fiscal year 2012
developed by the Department of Homeland Security (DHS) for reporting
by executive agency Inspectors General,[Footnote 3] rather than the
complete list of DHS metrics as in prior years. These metrics
established minimum and target levels of performance for
administration priorities and metrics for other key performance areas
that were designed to focus federal agency efforts on network
security. Our review included the following eight information security
areas: Configuration Management, Identity and Access Management,
Incident Response and Reporting, Risk Management, Security Training,
Plan of Action and Milestones (POA&M), Remote Access Management, and
Contingency Planning. (See attachment I.)
We also evaluated changes to GAO systems, policies, and procedures in
fiscal year 2012 that could potentially affect GAO's information
security program. To assess GAO's performance for these areas, we
analyzed the agency's information security policies, procedures, and
guidance; interviewed staff in GAO's Information Systems and
Technology Services (ISTS) office; and obtained additional data and
documentation from them. In addition, we reviewed the security control
documentation for GAO systems using a risk-based approach. As part of
our review of Contingency Planning, we toured the Local Area Network
Operations Center (LOC), visually inspected electrical circuits, and
physically traced power cords for servers to check for power
redundancy. Finally, we identified actions taken in response to past
FISMA recommendations and determined if any of these recommendations
can be closed.
We conducted this evaluation from December 2012 to February 2013 in
accordance with the Quality Standards for Inspection and Evaluation
established by the Council of the Inspectors General on Integrity and
Efficiency, in January 2012. Those standards require that we plan and
perform the evaluation to obtain sufficient, appropriate evidence to
provide a reasonable basis for our findings and conclusions based on
our objectives. We believe the evidence obtained provides a reasonable
basis for our findings and conclusions based on our evaluation
objectives.
Background:
To help protect against threats to federal systems, FISMA sets forth a
comprehensive framework for ensuring the effectiveness of information
security controls over information resources that support federal
operations and assets. Its framework creates a cycle of risk
management activities necessary for an effective security program. It
is also intended to provide a mechanism for improved oversight of
federal agency information security programs. In order to ensure the
implementation of this framework, FISMA assigns specific
responsibilities to OMB, agency heads, chief information officers
(CIO), inspectors general, and NIST. OMB is tasked with developing and
overseeing the implementation of policies, principles, standards, and
guidelines on information security; reporting at least annually on
agency compliance with the act; and approving or disapproving agency
information security programs. Agency heads are tasked with providing
information security protections commensurate with the risk and
magnitude of the harm resulting from unauthorized access, use,
disclosure, disruption, modification, or destruction of information
collected or maintained by or on behalf of the agency. Agency heads
and CIO are tasked with developing, documenting, and implementing
agency-wide information security programs. Inspectors general are
tasked with conducting annual independent evaluations of agency
efforts to effectively implement information security. NIST is tasked
with providing standards and guidance to agencies on information
security.
Changes to GAO Control Environment during Fiscal Year 2012:
ISTS did not retire any existing FISMA systems or add any new FISMA
systems in fiscal year 2012. Therefore, the GAO FISMA inventory
remained unchanged from fiscal year 2011. During fiscal year 2012,
ISTS implemented software upgrades including Microsoft Office 2007 and
Oracle 11G. We reviewed configuration management documentation and
verified that these changes were authorized and approved.
Improvements Needed to Fully Implement Security Program:
GAO has established an information security program that is generally
consistent with federal requirements, guidance, and standards. Of
particular note in fiscal year 2012, ISTS updated procedures for
managing and tracking annual security awareness training and role-
based training to more accurately report compliance and ensure
accountability for the required training. The recently developed
Mandatory Training Portal allows ISTS managers to track who has
completed information security awareness and role-based training. It
also allows portal administrators to send automated e-mail
notifications to those who have not yet satisfied the requirement. GAO
reported that awareness training compliance was at 99 percent and the
role-based training compliance was at 98 percent.
GAO also has well-defined operational[Footnote 4] and technical
[Footnote 5] controls for Remote Access Management. For example, GAO
has a published telecommuting policy that requires users to sign rules
of behavior and user agreements that acknowledge their responsibility
and accountability. GAO also has a process for reporting and disabling
lost or stolen devices to prevent unauthorized access. We reviewed
documentation from an actual lost property incident and verified that
ISTS personnel followed these procedures.
However, information security threats change almost daily, requiring
constant diligence and oversight to mitigate possible impact on
information availability, integrity, and continuity. In evaluating
elements of this program based on the DHS reporting metrics for
Inspectors General (IG), we identified specific improvements needed to
help ensure that security requirements are fully implemented.
Evaluation results for these program elements are as follows.
Limitations Exist in GAO Information Technology Contingency Planning:
GAO maintains an overall continuity program, which among other things,
provides for the health and safety of GAO employees, contractors, and
visitors, and ensures GAO will be able to maintain its operational
capability in the event of a disaster or disruption. As a key element
of this program, ISTS maintains a contingency plan that identifies and
centralizes processes necessary to recover GAO Network services
following a disruption that significantly degrades or disrupts network
use.[Footnote 6] Further, ISTS maintains detailed procedures for
specific events, such as planned[Footnote 7] and unscheduled power
outages.[Footnote 8]
These plans and procedures cover the GAO Network and all major
applications (systems) located in the LOC at GAO Headquarters, and
activating the plan may involve relocation of network operations to
GAO's Alternate Computing Facility (ACF) located outside of
Washington, D.C. However, as reported in the fiscal year 2011
evaluation, the ACF currently provides only limited disaster recovery
capabilities and will require additional funding and executive support
to build out the ACF infrastructure required to fully support GAO's
mission-essential functions, should network operations become
dependent on this facility.[Footnote 9]
The ACF is equipped with servers to run a portion of applications to
support mission-essential functions including the Document Management/
Electronic Records Management System (DM/ERMS), General Counsel's case
tracking system (GC Track), the Congressional Contact System, and My
Locator. However, it is important to note that the data on these
servers are not updated in real-time and in the event of an emergency,
any changes made since the most recent update could be lost. Based on
current procedures that include nightly incremental backup of data,
[Footnote 10] up to 24-hours' worth of data could be lost in an
emergency.
In addition, although the ACF can provide "go-forward" e-mail services
(no historical e-mail), ISTS does not yet have processes to migrate
e-mails created through ACF operations back into LOC e-mail servers,
should normal operations resume. This means that during a disaster or
disruption, GAO personnel would not be able to access e-mails sent or
received before the event. Further, once the event is over, any e-
mails sent or received during the disruption may no longer be
accessible. This could seriously impair communication with key
stakeholders, including congressional staff and agency officials.
Other essential applications do not currently have servers at the ACF.
These applications include the Asset Manager, the webTA System, the
Job Information System, and the Engagement Results Phase. As a result,
equipment would need to be procured or transferred to the ACF before
any data could be loaded and restored. This would likely cause
significant delays in recovering IT operations after an emergency.
In the event of a power outage or similar disruption, ISTS personnel
would have approximately 15-20 minutes of emergency battery power to
gracefully shut down approximately 300 servers in the GAO Headquarters
LOC. According to ISTS personnel, the majority of federal agencies and
private companies rely on a generator to extend that timeframe. This
is consistent with NIST guidance that states organizations should
provide a long-term alternate power supply for information systems
that is capable of maintaining minimally-required operational
capability in the event of an extended loss of the primary power
source. ISTS personnel estimated that the cost for a generator was $2
million and deemed it to be cost-prohibitive. As a result, data on any
server that is not shut down gracefully (i.e., employing log-off
procedures that often require several minutes or more) is at risk of
loss or corruption. That risk is significantly greater on evenings and
weekends when the amount of ISTS staff physically on site is minimal.
We also noted that power circuits in the LOC are not redundant, which
is not consistent with NIST guidance and industry best practices. For
example, rows of servers are connected to a single Power Distribution
Unit (PDU).[Footnote 11] If the transformer within that PDU were to
fail, the entire row of servers would lose power. Similarly, we
observed that servers were plugged into the same circuit from a single
PDU. If that circuit breaker were to trip or fail, those servers would
lose power. To maintain power redundancy, servers must be plugged into
separate, independent power circuits.
Finally, ISTS informed us that they have not briefed members of the
GAO Executive Committee on the specific risks posed by a power outage
or similar disruption. We believe such briefings are an essential step
in the Contingency Planning process.
Resource Challenges Exist in GAO's Information Security Program:
Resource challenges in the Information Systems Security Group
adversely impact GAO's ability to implement necessary upgrades
identified by GAO managers and our prior work. For example, one area
particularly affected is ISTS's ability to segregate responsibilities.
Through interviews with ISTS personnel, we learned that staff have
collateral duties that often pose competing priorities. For example,
the Information System Security Officer (ISSO) is primarily
responsible for ensuring implementation of system-level security
controls and maintaining system documentation. However, the ISSO has
also been assigned responsibility for audits and compliance.
Similarly, engineering staff periodically have to perform monitoring
duties or monitoring staff have to perform engineering duties.
Further, the director frequently performs operational duties that take
time away from management and strategic activities.
During our fiscal year 2011 evaluation, ISTS sometimes attributed
competing resource needs as a cause for delayed correction of
information security weakness. OMB and NIST guidance requires agencies
to identify vulnerabilities, establish priorities, and assign staffing
or financial resources required to resolve a weakness. We believe that
estimating the resources needed to correct a weakness could aid in
managing the overall remediation process.
Status of Prior Recommendations:
During fiscal year 2012, to implement recommendations made in our
FISMA evaluation for fiscal year 2011, ISTS took the following actions:
* Integrated an enterprise risk management program into its
Information Technology Investment Committee governance and oversight
process.
* Updated GAO's procedures for managing and tracking annual security
awareness training and role based training to accurately report
training compliance.
* Briefed senior management on the current ACF capabilities and a
strategy for contingency operations at that site.
During fiscal year 2012, ISTS continued efforts to implement the one
remaining 2011 FISMA recommendation that the CIO establish monitoring
procedures that enhance accountability for, and management of, GAO's
information security weakness remediation process by:
* Ensuring that business and system owners provide, and the
Information Systems Security Group incorporates into the POA&M, timely
updates that include current estimated completion dates for all open
or delayed weaknesses; and:
* Reconsidering the need to identify resources required to resolve a
weakness, including funding or other nonfunding obstacles or
challenges, such as staffing, that may adversely affect its
remediation.
In addition, GAO continued efforts to implement the fiscal year 2009
FISMA recommendations to (1) develop policies and procedures that
would meet the intent of a breach notification policy and plan as
prescribed by OMB, and (2) establish a program to provide both initial
and annual refresher privacy training to GAO's employees and managers.
Implementing these two recommendations is dependent on finalizing a
GAO security incident response directive and a GAO privacy rule and
order, respectively. We commented on draft versions of these
documents. However, as of February 7, 2013, these documents were not
final.
Conclusions:
Our prior year evaluations have shown that GAO has established an
information security program that is generally consistent with federal
requirements, guidance, and standards. Our fiscal year 2012 limited
review reinforced our prior conclusion and identified areas for
improvement in the contingency planning process. We also identified
resource challenges that affect GAO's ability to implement security
upgrades and strategies identified by GAO managers and the OIG.
It is essential to ongoing program effectiveness that GAO continually
assess whether established processes and practices are operating as
intended and make certain that changes in federal security
requirements, guidance, and techniques are proactively incorporated
into a formal, well-documented program. In addition, senior management
involvement in determining how the organization assesses and mitigates
information-system-related security risks will help to strengthen the
agency's overall information security program.
Recommendations for Executive Action:
To help strengthen GAO's overall information security program, we
recommend that the CIO take the following two actions:
* Implement measures to increase the redundancy and availability of
GAO mission-essential applications.
* Develop and provide, for GAO senior management consideration, a
proposed strategy to ensure power redundancy to GAO servers and
provide a long-term alternate power supply in the event of a power
outage.
Agency Comments and Our Evaluation:
The Inspector General provided GAO with a draft of this report for
review and comment. (See attachment II.) GAO concurred with our
recommendations. The agency also provided technical comments that we
incorporated, as appropriate.
Actions taken in response to our recommendations are expected to be
reported to my office within 60 days.
We are sending copies of this report to the other members of GAO's
Executive Committee (Chief Operating Officer, Chief Administrative
Officer/Chief Financial Officer, and General Counsel), GAO's Audit
Advisory Committee, and other key managers. The report is also
available on the GAO website at [hyperlink,
http://www.gao.gov/about/workforce/ig.html].
If you or your staff have any questions about this report, please
contact me at (202) 512-5748 or trzeciaka@gao.gov. Contact points for
GAO's Office of Congressional Relations and Public Affairs may be
found on the last page of this report. Key contributors to this report
were Douglas Carney and Cathy Helm, Deputy Inspector General.
[End of section]
Attachment I:
The following are the Department of Homeland Security's eighteen new
fiscal year 2012 FISMA metrics for reporting by executive agency
Inspectors General.[Footnote 12]
2. Configuration Management.
2.1.8. Software assessing (scanning) capabilities are fully
implemented.
2.1.9. Configuration-related vulnerabilities, including scan findings,
have been remediated in a timely manner, as specified in Organization
policy or standards.
2.1.10. Patch management process is fully developed, as specified in
Organization policy or standards.
3. Identity And Access Management.
3.1.5. Organization has adequately planned for implementation of PIV
for logical access in accordance with government policies.
3.1.8. Identifies all User and Non-User Accounts (refers to user
accounts that are on a system. Examples of non-user accounts are
accounts such as an IP that is set up for printing. Data user accounts
are created to pull generic information from a database or a guest/
anonymous account for generic login purposes that are not associated
with a single user or a specific group of users).
4. Incident Response And Reporting.
4.1.8. There is sufficient incident monitoring and detection coverage
in accordance with government policies.
5. Risk Management.
5.1.15. Security authorization package contains Accreditation
boundaries for Organization information systems defined in accordance
with government policies.
6. Security Training.
6.1.6. Training material for security awareness training does not
contain appropriate content for the Organization.
7. Plan Of Action & Milestones (POA&M).
7.1.7. Costs associated with remediating weaknesses are identified.
8. Remote Access Management.
8.1.4. Telecommuting policy is fully developed.
8.1.9. Lost or stolen devices are disabled and appropriately reported.
8.1.10. Remote access rules of behavior are adequate in accordance
with government policies.
8.1.11. Remote access user agreements are adequate in accordance with
government policies.
9. Contingency Planning.
9.1.8. After-action report that addresses issues identified during
contingency/disaster recovery exercises.
9.1.9. Systems that have alternate processing sites.
9.1.10. Alternate processing sites are subject to the same risks as
primary sites.
9.1.11. Backups of information that are performed in a timely manner.
9.1.12. Contingency planning that consider supply chain threats.
[End of table]
[End of section]
Attachment II:
GAO:
Memorandum:
Date: February 6, 2013:
To: Inspector General — Adam Trzeciak:
From: [Signed by] Chief Administrative Officer — David M. Fisher:
Subject: Agency Response to Evaluation of GAO's Information Security
Program and Practices for Fiscal Year 2012:
Thank you for the opportunity to comment on the draft report
Information Security: Evaluation of GAO's Program and Practices for
Fiscal Year 2012 (GAO-OIG-13-2). Although not obligated by law to
comply with the Federal Information Security Management Act (FISMA),
GAO remains committed to being a leading practice Federal Agency by
implementing security requirements consistent with this Act.
Based on your review, you found that GAO has established an
information security program that is generally compliant with the
FISMA requirements and guidance and standards set forth by the Office
of Management Budget and National Institute of Standards and Technology.
Additionally, you outlined two recommendations to further improve
GAO's program: (1) implement measures to increase the redundancy and
availability of GAO mission-essential applications; and (2) develop
and provide for GAO senior management consideration a proposed
strategy to ensure power redundancy to GAO servers and provide a long-
term alternate power supply in the event of a power outage.
Overall, we concur with the report recommendations. I am pleased to
report that we are already making progress in addressing
recommendation #1. ISTS has developed and vetted a strategy with GAO
management to upgrade the GAO infrastructure utilizing a virtualized
server environment at both the HQ and the Alternate Computing Facility
(ACF). Server virtualization will provide the foundation for effective
redundancy and high availability of our mission-essential
applications, while reducing our dependency on a high number of
servers in GAO's LAN Operations Center. GAO authorized FY 13 funds to
begin this effort, which we expect to complete over the next 2 years.
With regards to recommendation #2, we agree that GAO should identify a
long-term alternate power supply and will look to the CIO to identify
current and future power supply requirements for the LAN Operations
Center and propose a strategy to ensure power redundancy to GAO
servers. Upon receipt, GAO management will work proactively to address
this issue.
Within 60 days of this report being issued in final, we will provide
you with a more comprehensive update that includes target completion
dates for actions not yet taken.
Please contact me at (202) 512-5800 if you have any questions.
CC:
Cathy Helm, OIG:
Howard Williams, ISTS:
Cheryl Whitaker, Deputy CAO:
Bill Anderson, Controller:
[End of section]
Footnotes:
[1] Enacted as Title III of the E-Government Act of 2002, Pub. L. No.
107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002).
[2] GAO/OIG, Information Security: Evaluation of GAO's Program and
Practices for Fiscal Year 2010, [hyperlink,
http://www.gao.gov/products/GAO/OIG-11-3] (Washington, D.C.: Mar. 4,
2011); and Information Security: Evaluation of GAO's Program and
Practices for Fiscal Year 2011, [hyperlink,
http://www.gao.gov/products/GAO/OIG-12-2] (Washington, D.C.: Mar. 30,
2012).
[3] U.S. Department of Homeland Security, FY 2012 Inspector General
Federal Information Security Management Act Reporting Metrics, (March
6, 2012).
[4] Operational controls are safeguards or countermeasures for an
information system that are primarily implemented and executed by
people (as opposed to systems).
[5] Technical controls are safeguards or countermeasures for an
information system that are primarily implemented and executed by the
information system through mechanisms contained in the hardware,
software, or firmware components of the system.
[6] GAO Network IT Contingency Plan, version 6.0 (August 2012).
[7] Power Outage/Testing Checklist, Version 1.1 (March 10, 2011).
[8] Checklist Emergency LOC Shutdown
[9] Mission Essential Functions (MEFs) are defined as a limited set of
department-and agency-level government functions that must be
continued after a disruption of normal activities.
[10] An incremental backup captures files that were created or changed
since the last backup. Incremental backups afford more efficient use
of storage media, and backup times are reduced.
[11] A PDU is a device designed to transform raw power feeds into
lower capacity power feeds and distribute that electricity to racks of
computers and networking equipment located within the data center.
[12] U.S. Department of Homeland Security, FY 2012 Inspector General
Federal Information Security Management Act Reporting Metrics, (March
6, 2012).
[End of section]
Reporting Fraud, Waste, and Abuse in GAO’s Internal Operations:
To report fraud, waste, and abuse in GAO’s internal operations, do one
of the following. (You may do so anonymously.)
* Call toll-free (866) 680-7963 to speak with a hotline specialist,
available 24 hours a day, 7 days a week.
* Online at: [hyperlink, https://OIG.alertline.com].
Obtaining Copies of OIG Reports and Testimony:
To obtain copies of OIG reports and testimony, go to GAO’s Web site:
[hyperlink, www.gao.gov/about/workforce/ig.html].
Congressional Relations:
Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
4400, U.S. Government Accountability Office, 441 G Street NW, Room
7125, Washington, DC 20548.
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149,
Washington, DC 20548.
[End of document]